Breaking State-of-the-Art Binary Code Obfuscation
|
|
|
- Austen Townsend
- 6 years ago
- Views:
Transcription
1 Breaking State-of-the-Art Binary Code Obfuscation A Program Synthesis-based Approach REcon Brussels February 2, 2018 Tim Moritz Chair for Systems Security Ruhr-Universität Bochum <firstname.lastname>@rub.de
2
3 Setting the Scene Obfuscated code, semantics? Traditional deobfuscation techniques Orthogonal approach 2
4 Motivation Prevent Complicate reverse engineering attempts. Intellectual Property Malicious Payloads Digital Rights Management 3
5 Motivation Prevent Complicate reverse engineering attempts. Intellectual Property Malicious Payloads Digital Rights Management We achieved our goals. We were uncracked for 13 whole days. Martin Slater, 2K Australia, on BioShock (2007). 3
6 How to protect software?
7 Approaches Abuse shortcomings of file parsers and other tools of the trade. fld tbyte ptr [ bad_values] crashing OllyDbg Fake SizeOfImage crashing process dumpers. 5
8 Approaches Abuse shortcomings of file parsers and other tools of the trade. fld tbyte ptr [ bad_values] crashing OllyDbg Fake SizeOfImage crashing process dumpers. Detect artifacts of the debugging process. PEB.BeingDebugged bit being set. int 2D and exception handling in debuggers. 5
9 Approaches Abuse shortcomings of file parsers and other tools of the trade. fld tbyte ptr [ bad_values] crashing OllyDbg Fake SizeOfImage crashing process dumpers. Detect artifacts of the debugging process. PEB.BeingDebugged bit being set. int 2D and exception handling in debuggers. 5
10 Requirements 1. We want the technique to be semantics-preserving. Preserve the observable behavior of the application. 6
11 Requirements 1. We want the technique to be semantics-preserving. 2. We want to avoid external dependencies, focus on code only. Assume white-box attack scenario. 6
12 Requirements 1. We want the technique to be semantics-preserving. 2. We want to avoid external dependencies, focus on code only. 3. We want techniques where effort(deploy) effort(attack). Anti-Debugging tricks are effort 1:1. 6
13 Code Obfuscation Techniques Opaque Predicates
14 A t A f f B B t C t f C C'
15 Opaque Predicates true call GetCurrentProcess cmp eax, 0xffffffff je block_a false block_a: block_b: 9
16 Opaque Predicates always taken call GetCurrentProcess cmp eax, 0xffffffff je block_a never taken block_a: dead code Opaque True Predicate 9
17 Opaque Predicates always taken call GetCurrentProcess cmp eax, 0xffffffff je block_a opaque predicate never taken block_a: dead code Opaque True Predicate 9
18 Opaque Predicates always taken call GetCurrentProcess cmp eax, 0xffffffff je block_a opaque value never taken block_a: dead code Opaque True Predicate 9
19 Opaque Predicates always taken mov eax, 0xffffffff cmp eax, 0xffffffff je block_a never taken block_a: dead code Opaque True Predicate 9
20 Opaque Predicates never taken mov eax, 0xffffffff cmp eax, 0xdeadbeef je block_a always taken dead code block_b: Opaque False Predicate 9
21 Opaque Predicates true call rand cmp eax, 0xdeadbeef je block_a false block_a: semantically equivalent block_a': Random Opaque Predicate duplicated block 9
22 Opaque Predicates Increase in complexity (branch count, McCabe) Can be built on hard problems (e. g., aliasing) Forces analyst to encode additional knowledge Hard to solve statically Examples GetCurrentProcess() 1 fldpi 1 st(0) = π x 2 0 x x + 1 x x pointer A must-alias pointer B checksum(code) = 0x1c43b5cf 10
23 Opaque Predicates Increase in complexity (branch count, McCabe) Can be built on hard problems (e. g., aliasing) Forces analyst to encode additional knowledge Hard to solve statically Solved for free using concrete execution traces Examples GetCurrentProcess() 1 fldpi 1 st(0) = π x 2 0 x x + 1 x x pointer A must-alias pointer B checksum(code) = 0x1c43b5cf 10
24 Code Obfuscation Techniques Virtual Machines
25 Virtual Machines mov ecx, [esp+4] xor eax, eax mov ebx, 1 secret_ip: mov edx, eax add edx, ebx mov eax, ebx mov ebx, edx loop secret_ip mov eax, ebx ret 12
26 Virtual Machines mov ecx, [esp+4] xor eax, eax mov ebx, 1 secret_ip: mov edx, eax add edx, ebx mov eax, ebx mov ebx, edx loop secret_ip mov eax, ebx ret 12
27 Virtual Machines mov ecx, [esp+4] xor eax, eax mov ebx, 1 secret_ip: mov edx, eax add edx, ebx mov eax, ebx mov ebx, edx loop secret_ip mov eax, ebx ret 12
28 Virtual Machines mov ecx, [esp+4] xor eax, eax mov ebx, 1 made-up instruction set secret_ip: mov edx, eax add edx, ebx mov eax, ebx mov ebx, edx loop secret_ip bytecode: vld r0 vpop r1 vld r2 vld r1 vadd r1 vld r2 vpop r0 vld r1 vpop r2 vldi #1 vld r3 vsub r3 vld #0 veq r3 vbr0 #-0E mov eax, ebx ret 12
29 Virtual Machines mov ecx, [esp+4] xor eax, eax mov ebx, 1 secret_ip: push bytecode call vm_entry made-up instruction set bytecode: db f db e c db 6f 6f 6b 20 6c 69 6b db e db 69 6e f 20 db 6d 65 2e de ad be ef mov eax, ebx ret 12
30 Virtual Machines mov ecx, [esp+4] xor eax, eax mov ebx, 1 secret_ip: push bytecode call vm_entry mov eax, ebx ret made-up instruction set bytecode: db f db e c db 6f 6f 6b 20 6c 69 6b db e db 69 6e f 20 db 6d 65 2e de ad be ef? 12
31 Virtual Machines Core Components VM Entry/Exit VM Dispatcher Handler Table Context Switch: native context virtual context Fetch Decode Execute loop Individual VM ISA instruction semantics Entry Exit Copy native context (registers, flags) to VM context. Copy VM context back to native context. Mapping from native to virtual registers is often 1:1. 13
32 Virtual Machines Core Components VM Entry/Exit VM Dispatcher Handler Table Context Switch: native context virtual context Fetch Decode Execute loop Individual VM ISA instruction semantics 1. Fetch and decode instruction 2. Forward virtual instruction pointer 3. Look up handler for opcode in handler table 4. Invoke handler FDE look up handle_vpush handle_vadd handle_vxor handle_vexit handle_vpop 13
33 Virtual Machines Core Components VM Entry/Exit VM Dispatcher Handler Table Context Switch: native context virtual context Fetch Decode Execute loop Individual VM ISA instruction semantics Table of function pointers indexed by opcode One handler per virtual instruction Each handler decodes operands and updates VM context FDE look up handle_vpush handle_vadd handle_vxor handle_vexit handle_vpop 13
34 Virtual Machines 14
35 Virtual Machines handle_vpush handle_vadd handle_vxor handle_vexit handle_vpop look up FDE } VM } VM Entry Dispatcher (FDE) Individual Handlers VM Exit (as handler) 14
36 Virtual Machines vm_dispatcher: mov bl, [rsi] inc rsi movzx rax, bl jmp handler_table[rax * 8] VM Dispatcher rsi virtual instruction pointer rbp VM context 15
37 Virtual Machines vm_dispatcher: mov bl, [rsi] inc rsi movzx rax, bl jmp handler_table[rax * 8] VM Dispatcher handle_vnor: mov rcx, [rbp] mov rbx, [rbp + 4] not rcx not rbx and rcx, rbx mov [rbp + 4], rcx pushf pop [rbp] jmp vm_dispatcher rsi virtual instruction pointer rbp VM context Handler performing nor (with flag side-effects) 15
38 Virtual Machine Hardening
39 Virtual Machines Hardening Technique #1 Obfuscating individual VM components. Handlers are conceptually simple. 17
40 Virtual Machines Hardening Technique #1 Obfuscating individual VM components. Handlers are conceptually simple. Apply traditional code obfuscation transformations: Substitution (mov rax, rbx push rbx; pop rax) Opaque Predicates Junk Code mov eax, dword [rbp] mov ecx, dword [rbp+4] cmp r11w, r13w sub rbp, 4 not eax clc cmc cmp rdx, 0x28b105fa not ecx cmp r12b, r9b 17
41 Virtual Machines Hardening Technique #2 Duplicating VM handlers. Handler table is typically indexed using one byte (= 256 entries). 18
42 Virtual Machines Hardening Technique #2 Duplicating VM handlers. Handler table is typically indexed using one byte (= 256 entries). Idea: Duplicate existing handlers to populate full table. Use traditional obfuscation techniques to impede code similarity analyses. Goal: Increase workload of reverse engineer. 18
43 handle_vpush handle_vadd handle_vnor handle_vpop
44 handle_vpush handle_vadd handle_vnor handle_vpop handle_vpush handle_vadd handle_vnor'' handle_vpop handle_vadd' handle_vnor handle_vnor' handle_vadd''
45 Virtual Machines Hardening Technique #3 No central VM dispatcher. A central VM dispatcher allows attacker to easily observe VM execution. Idea: Instead of branching to the central dispatcher, inline it into each handler. Goal: No single point of failure. (Themida, VMProtect Demo) 20
46 FDE handle_vnor handle_
47 handle_vnor handle_ FDE FDE
48
49 Virtual Machines Hardening Technique #4 No explicit handler table. An explicit handler table easily reveals all VM handlers. 23
50 Virtual Machines Hardening Technique #4 No explicit handler table. An explicit handler table easily reveals all VM handlers. Idea: Instead of querying an explicit handler table, encode the next handler address in the VM instruction itself. Goal: Hide location of handlers that have not been executed yet. (VMProtect Full, SolidShield) 23
51 Virtual Machines Hardening Technique #4 No explicit handler table. An explicit handler table easily reveals all VM handlers. Idea: opcode op 0 op 1 Instead of querying an explicit handler table, encode the next handler address in the VM instruction itself. Goal: Hide location of handlers that have not been executed yet. (VMProtect Full, SolidShield) 23
52 Virtual Machines Hardening Technique #4 No explicit handler table. An explicit handler table easily reveals all VM handlers. Idea: opcode op 0 op 1 next handler addr Instead of querying an explicit handler table, encode the next handler address in the VM instruction itself. Goal: Hide location of handlers that have not been executed yet. (VMProtect Full, SolidShield) 23
53
54 Virtual Machines Hardening Technique #5 Blinding VM bytecode. Global analyses on the bytecode possible, easy to patch instructions. 25
55 Virtual Machines Hardening Technique #5 Blinding VM bytecode. Global analyses on the bytecode possible, easy to patch instructions. Idea: Flow-sensitive instruction decoding ( decryption based on key register). Custom decryption routine per handler, diversification. Patching requires re-encryption of subsequent bytecode. Goal: Hinder global analyses of bytecode and patching. 25
56 operand [vip + 0] context next_handler [vip + 4] semantics(context, operand) vip vip + 8 jmp next_handler 26
57 operand [vip + 0] operand key unmangle(operand, key) unmangle (key, operand) context next_handler [vip + 4] semantics(context, operand) next_handler key unmangle (next_handler, key) unmangle (key, next_handler) vip vip + 8 jmp next_handler 26
58 Code Obfuscation Techniques Mixed Boolean-Arithmetic
59 Mixed Boolean-Arithmetic What does this expression compute? (x y) + 2 (x y) 28
60 Mixed Boolean-Arithmetic What does this expression compute? (x y) + 2 (x y) = x + y 28
61 Mixed Boolean-Arithmetic What does this expression compute? (((x y) + ((x y) 1)) z) + (((x y) + ((x y) 1)) z) 28
62 Mixed Boolean-Arithmetic What does this expression compute? (((x y) + ((x y) 1)) z) + (((x y) + ((x y) 1)) z) = x + y + z Boolean identities? Arithmetic identities? Karnaugh-Veitch maps? A 0 = 0 A + B = A B x 2 y 2 = (x + y)(x y) 28
63 Mixed Boolean-Arithmetic Boolean-arithmetic algebra BA[n] (B n,,,,,,, >, <, s, s, > s, < s,, =, s,,, +,, ) is a Boolean-arithmetic algebra BA[n], for n > 0, B = {0, 1}. BA[n] includes, amongst others, both: Boolean algebra (B n,,, ), Integer modular ring Z/(2 n ). No techniques to simplify such expressions easily! 29
64 Deobfuscation
65 Symbolic Execution handle_vnor: mov rcx, [rbp] mov rbx, [rbp + 4] not rcx not rbx and rcx, rbx mov [rbp + 4], rcx pushf pop [rbp] jmp vm_dispatcher Handler performing nor (with flag side-effects)
66 Symbolic Execution handle_vnor: mov rcx, [rbp] mov rbx, [rbp + 4] not rcx not rbx and rcx, rbx mov [rbp + 4], rcx pushf pop [rbp] jmp vm_dispatcher rcx [rbp] Handler performing nor (with flag side-effects)
67 Symbolic Execution handle_vnor: mov rcx, [rbp] mov rbx, [rbp + 4] not rcx not rbx and rcx, rbx mov [rbp + 4], rcx pushf pop [rbp] jmp vm_dispatcher rcx [rbp] rbx [rbp + 4] Handler performing nor (with flag side-effects)
68 Symbolic Execution handle_vnor: mov rcx, [rbp] mov rbx, [rbp + 4] not rcx not rbx and rcx, rbx mov [rbp + 4], rcx pushf pop [rbp] jmp vm_dispatcher rcx [rbp] rbx [rbp + 4] rcx rcx = [rbp] Handler performing nor (with flag side-effects)
69 Symbolic Execution handle_vnor: mov rcx, [rbp] mov rbx, [rbp + 4] not rcx not rbx and rcx, rbx mov [rbp + 4], rcx pushf pop [rbp] jmp vm_dispatcher rcx [rbp] rbx [rbp + 4] rcx rcx = [rbp] rbx rbx = [rbp + 4] Handler performing nor (with flag side-effects)
70 Symbolic Execution handle_vnor: mov rcx, [rbp] mov rbx, [rbp + 4] not rcx not rbx and rcx, rbx mov [rbp + 4], rcx pushf pop [rbp] jmp vm_dispatcher rcx [rbp] rbx [rbp + 4] rcx rcx = [rbp] rbx rbx = [rbp + 4] rcx rcx rbx = ( [rbp]) ( [rbp + 4]) Handler performing nor (with flag side-effects)
71 Symbolic Execution handle_vnor: mov rcx, [rbp] mov rbx, [rbp + 4] not rcx not rbx and rcx, rbx mov [rbp + 4], rcx pushf pop [rbp] jmp vm_dispatcher rcx [rbp] rbx [rbp + 4] rcx rcx = [rbp] rbx rbx = [rbp + 4] rcx rcx rbx = ( [rbp]) ( [rbp + 4]) = [rbp] [rbp + 4] Handler performing nor (with flag side-effects)
72 Symbolic Execution handle_vnor: mov rcx, [rbp] mov rbx, [rbp + 4] not rcx not rbx and rcx, rbx mov [rbp + 4], rcx pushf pop [rbp] jmp vm_dispatcher rcx [rbp] rbx [rbp + 4] rcx rcx = [rbp] rbx rbx = [rbp + 4] rcx rcx rbx = ( [rbp]) ( [rbp + 4]) = [rbp] [rbp + 4] [rbp + 4] rcx = [rbp] [rbp + 4] Handler performing nor (with flag side-effects) 31
73 Symbolic Execution handle_vnor: mov rcx, [rbp] mov rbx, [rbp + 4] not rcx not rbx and rcx, rbx mov [rbp + 4], rcx pushf pop [rbp] jmp vm_dispatcher rcx [rbp] rbx [rbp + 4] rcx rcx = [rbp] rbx rbx = [rbp + 4] rcx rcx rbx = ( [rbp]) ( [rbp + 4]) = [rbp] [rbp + 4] [rbp + 4] rcx = [rbp] [rbp + 4] rsp rsp 4 [rsp] flags Handler performing nor (with flag side-effects) 31
74 Symbolic Execution handle_vnor: mov rcx, [rbp] mov rbx, [rbp + 4] not rcx not rbx and rcx, rbx mov [rbp + 4], rcx pushf pop [rbp] jmp vm_dispatcher Handler performing nor (with flag side-effects) rcx [rbp] rbx [rbp + 4] rcx rcx = [rbp] rbx rbx = [rbp + 4] rcx rcx rbx = ( [rbp]) ( [rbp + 4]) = [rbp] [rbp + 4] [rbp + 4] rcx = [rbp] [rbp + 4] rsp rsp 4 [rsp] flags [rbp] [rsp] = flags rsp rsp
75 Symbolic Execution handle_vnor: rcx [rbp] mov rcx, [rbp] rbx [rbp + 4] mov rbx, [rbp + 4] rcx rcx = [rbp] not rcx rbx rbx = [rbp + 4] not rbx rcx rcx rbx and rcx, [rbp rbx + 4] ([rbp] = ( [rbp]) ( + [rbp 4]) + mov [rbp + 4], rcx = [rbp] [rbp + 4] pushf [rbp + 4] rcx = [rbp] [rbp + 4] pop [rbp] jmp vm_dispatcher rsp rsp 4 Handler performing nor (with flag side-effects) [rsp] flags [rbp] [rsp] = flags rsp rsp
76 Virtual Machine Handler mov eax, dword [rbp] mov ecx, dword [rbp + 4] cmp r11w, r13w sub rbp, 4 not eax clc cmc cmp rdx, 0x28b105fa not ecx cmp r12b, r9b cmc and eax, ecx jmp 0xc239 mov word [rbp + 8], eax pushfq movzx eax, r10w and ax, di pop qword [rbp] sub rsi, 4 shld rax, rdx, 0x1b xor ah, 0x4d mov eax, dword [rsi] cmp ecx, r11d test r10, 0x179708d5 xor eax, ebx jmp 0xfffffffffff63380 dec eax stc ror eax, 1 jmp 0xffffffffffff2a70 dec eax clc bswap eax test bp, 0x5124 neg eax test dil, 0xe9 cmp bx, r14w cmc push rbx sub bx, 0x49f8 xor dword [rsp], eax and bh, 0xaf pop rbx movsxd rax, eax test r13b, 0x94 add rdi, rax jmp 0xfffffffffffc67c7 lea rax, [rsp + 0x140] cmp rbp, rax ja 0x6557b jmp rdi
77 Virtual Machine Handler IRDst = ((- {((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[24:32] 0 8, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[16:24] 8 16, ((((@32[(RSI_init +0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[8:16] 16 24, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[0:8] 24 32})[31:32]?((RDI_init+{(- {((((@32[(RSI_init +0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[24:32] 0 8, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[16:24] 8 16, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init [0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[8:16] 16 24, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[0:8] 24 32}) 0 32, 0xFFFFFFFF 32 64}),(RDI_init+{(- {((((@32[(RSI_init +0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[24:32] 0 8, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[16:24] 8 16, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init [0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[8:16] 16 24, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[0:8] 24 32}) 0 32, 0x }))) pf = parity(((rbp_init+(- RSP_init)+0xFFFFFFFFFFFFFEBC)&0xFF)) cf = ((((RBP_init+(- RSP_init)+0xFFFFFFFFFFFFFEBC)^(RBP_init+0xFFFFFFFFFFFFFFFC))&((RBP_init+0xFFFFFFFFFFFFFFFC)^(RSP_init+0x140)))^(RBP_init+(- RSP_init)+0xFFFFFFFFFFFFFEBC)^(RBP_init+0xFFFFFFFFFFFFFFFC)^(RSP_init+0x140))[63:64] af = ((RBP_init+(- = (((@32[RBP_init]^0xFFFFFFFF)&(@32[(RBP_init+0x4)]^0xFFFFFFFF))?({0x2 0 2, parity(((@32 [RBP_init]^0xFFFFFFFF)&(@32[(RBP_init+0x4)]^0xFFFFFFFF)&0xFF)) 2 3, 0x0 3 4, (((- R9_init[0:8])+R12_init[0:8])^R12_init[0:8]^R9_init[0:8])[4:5] 4 5, 0x0 5 7, ((@32[RBP_init]^0xFFFFFFFF)&(@32[(RBP_init+0x4)]^0xFFFFFFFF))[31:32] 7 8, tf_init 8 9, i_f_init 9 10, df_init 10 11, 0x , iopl_f_init 12 14, nt_init 14 15, 0x , rf_init 16 17, vm_init 17 18, ac_init 18 19, vif_init 19 20, vip_init 20 21, i_d_init 21 22, 0x },{0x2 0 2, parity(((@32[rbp_init]^0xffffffff)&(@32[(rbp_init +0x4)]^0xFFFFFFFF)&0xFF)) 2 3, 0x0 3 4, (((- R9_init[0:8])+R12_init[0:8])^R12_init[0:8]^R9_init[0:8])[4:5] 4 5, 0x2 5 7, ((@32[RBP_init]^0xFFFFFFFF)&(@32[(RBP_init+0x4)]^0xFFFFFFFF))[31:32] 7 8, tf_init 8 9, i_f_init 9 10, df_init 10 11, 0x , iopl_f_init 12 14, nt_init 14 15, 0x , rf_init 16 17, vm_init 17 18, ac_init 18 19, vif_init 19 20, vip_init 20 21, i_d_init 21 22, 0x })) RAX = (RSP_init+0x140) of = (((RBP_init+(- RSP_init)+0xFFFFFFFFFFFFFEBC)^(RBP_init +0xFFFFFFFFFFFFFFFC))&((RBP_init+0xFFFFFFFFFFFFFFFC)^(RSP_init+0x140)))[63:64] RCX = {(@32[(RBP_init+0x4)]^0xFFFFFFFF) 0 32, 0x0 32 = ((@32[RBP_init]^0xFFFFFFFF)&(@32[(RBP_init+0x4)]^0xFFFFFFFF)) RBX = {((- {((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[24:32] 0 8, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[16:24] 8 16, ((((@32[(RSI_init +0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[8:16] 16 24, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[0:8] 24 32})^RBX_init[0:32]) 0 32, RBX_init[32:64] 32 64} RBP = (RBP_init+0xFFFFFFFFFFFFFFFC) zf = ((RBP_init+(- RSP_init)+0xFFFFFFFFFFFFFEBC)?(0x0,0x1)) RSI = (RSI_init+0xFFFFFFFFFFFFFFFC) RDI = ((- {((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[24:32] 0 8, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[16:24] 8 16, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[8:16] 16 24, ((((@32[(RSI_init +0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[0:8] 24 32})[31:32]?((RDI_init+{(- {((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[24:32] 0 8, ((((@32[(RSI_init +0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[16:24] 8 16, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[8:16] 16 24, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init [0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[0:8] 24 32}) 0 32, 0xFFFFFFFF 32 64}),(RDI_init+{(- {((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[24:32] 0 8, ((((@32[(RSI_init +0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[16:24] 8 16, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[8:16] 16 24, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init [0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[0:8] 24 32}) 0 32, 0x }))) nf = (RBP_init+(- = ((- {((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32]) +0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[24:32] 0 8, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[16:24] 8 16, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF) [8:16] 16 24, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[0:8] 24 = RBX_init[32:64]
78 Virtual Machine Handler IRDst = ((- {((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[24:32] 0 8, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[16:24] 8 16, ((((@32[(RSI_init +0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[8:16] 16 24, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[0:8] 24 32})[31:32]?((RDI_init+{(- {((((@32[(RSI_init +0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[24:32] 0 8, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[16:24] 8 16, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init [0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[8:16] 16 24, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[0:8] 24 32}) 0 32, 0xFFFFFFFF 32 64}),(RDI_init+{(- {((((@32[(RSI_init +0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[24:32] 0 8, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[16:24] 8 16, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init [0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[8:16] 16 24, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[0:8] 24 32}) 0 32, 0x }))) pf = parity(((rbp_init+(- RSP_init)+0xFFFFFFFFFFFFFEBC)&0xFF)) cf = ((((RBP_init+(- RSP_init)+0xFFFFFFFFFFFFFEBC)^(RBP_init+0xFFFFFFFFFFFFFFFC))&((RBP_init+0xFFFFFFFFFFFFFFFC)^(RSP_init+0x140)))^(RBP_init+(- RSP_init)+0xFFFFFFFFFFFFFEBC)^(RBP_init+0xFFFFFFFFFFFFFFFC)^(RSP_init+0x140))[63:64] af = ((RBP_init+(- RSP_init)+0xFFFFFFFFFFFFFEBC)^(RBP_init+0xFFFFFFFFFFFFFFFC)^(RSP_init+0x140))[4:5] M1 = ( = ( M2) (((@32[RBP_init]^0xFFFFFFFF)&(@32[(RBP_init+0x4)]^0xFFFFFFFF))?({0x2 0 2, parity(((@32 [RBP_init]^0xFFFFFFFF)&(@32[(RBP_init+0x4)]^0xFFFFFFFF)&0xFF)) 2 3, 0x0 3 4, (((- R9_init[0:8])+R12_init[0:8])^R12_init[0:8]^R9_init[0:8])[4:5] 4 5, 0x0 5 7, ((@32[RBP_init]^0xFFFFFFFF)&(@32[(RBP_init+0x4)]^0xFFFFFFFF))[31:32] 7 8, tf_init 8 9, i_f_init 9 10, df_init 10 11, 0x , iopl_f_init 12 14, nt_init 14 15, 0x , rf_init 16 17, vm_init 17 18, ac_init 18 19, vif_init 19 20, vip_init 20 21, i_d_init 21 22, 0x },{0x2 0 2, parity(((@32[rbp_init]^0xffffffff)&(@32[(rbp_init +0x4)]^0xFFFFFFFF)&0xFF)) 2 3, 0x0 3 4, (((- R9_init[0:8])+R12_init[0:8])^R12_init[0:8]^R9_init[0:8])[4:5] 4 5, 0x2 5 7, ((@32[RBP_init]^0xFFFFFFFF)&(@32[(RBP_init+0x4)]^0xFFFFFFFF))[31:32] 7 8, tf_init 8 9, i_f_init 9 10, df_init 10 11, 0x , iopl_f_init 12 14, nt_init 14 15, 0x , rf_init 16 17, vm_init 17 18, ac_init 18 19, vif_init 19 20, vip_init 20 21, i_d_init 21 22, 0x })) RAX = (RSP_init+0x140) of = (((RBP_init+(- RSP_init)+0xFFFFFFFFFFFFFEBC)^(RBP_init +0xFFFFFFFFFFFFFFFC))&((RBP_init+0xFFFFFFFFFFFFFFFC)^(RSP_init+0x140)))[63:64] RCX = {(@32[(RBP_init+0x4)]^0xFFFFFFFF) 0 32, 0x0 32 = ((@32[RBP_init]^0xFFFFFFFF)&(@32[(RBP_init+0x4)]^0xFFFFFFFF)) RBX = {((- {((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[24:32] 0 8, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[16:24] 8 16, ((((@32[(RSI_init +0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[8:16] 16 24, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[0:8] 24 32})^RBX_init[0:32]) 0 32, RBX_init[32:64] 32 64} RBP = (RBP_init+0xFFFFFFFFFFFFFFFC) zf = ((RBP_init+(- RSP_init)+0xFFFFFFFFFFFFFEBC)?(0x0,0x1)) RSI = (RSI_init+0xFFFFFFFFFFFFFFFC) RDI = ((- {((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[24:32] 0 8, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[16:24] 8 16, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[8:16] 16 24, ((((@32[(RSI_init +0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[0:8] 24 32})[31:32]?((RDI_init+{(- {((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[24:32] 0 8, ((((@32[(RSI_init +0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[16:24] 8 16, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[8:16] 16 24, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init [0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[0:8] 24 32}) 0 32, 0xFFFFFFFF 32 64}),(RDI_init+{(- {((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[24:32] 0 8, ((((@32[(RSI_init +0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[16:24] 8 16, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[8:16] 16 24, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init [0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[0:8] 24 32}) 0 32, 0x }))) nf = (RBP_init+(- = ((- {((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32]) +0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[24:32] 0 8, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[16:24] 8 16, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF) [8:16] 16 24, ((((@32[(RSI_init+0xFFFFFFFFFFFFFFFC)]^RBX_init[0:32])+0xFFFFFFFF) >>> 0x1)+0xFFFFFFFF)[0:8] 24 = RBX_init[32:64]
79 Mixed Boolean-Arithmetic Expression int mixed_boolean(int A, int B, int C) { int result; result = ((( (((( C) * (( * C) ( * ( A) ))) + A) )) * (( * (((( C) * (( * C) ( * ( A) ))) + A) )) ( * ( B) ))) - (( ( (((( C) * (( * C) ( * ( A) ))) + A) ))) * (( * ( (((( C) * (( * C) ( * ( A) ))) + A) ))) ( * B )))) ; } return * result ;
80 Mixed Boolean-Arithmetic Expression RAX = {((((- ((((- (((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+(@32[(RBP_init +0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B)))[0:32]+((((- (((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32 [(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init +0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0xFFFFFFFFA7E08A93),({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] [31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x }*0xFFFFFFFFA7E08A93)))[0:32])+0xB03CEE0A) ((((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init +0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0x581F756D),({((@32 [(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x }*0x581F756D))) [0:32]+0xB03CEE0A))[31:32]?(({(((- (((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32] +0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0xFFFFFFFFA7E08A93),({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32] +0x5C99A1A9) 0 32, 0x }*0xFFFFFFFFA7E08A93)))[0:32])+0xB03CEE0A) ((((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x } *0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0x581F756D),({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x }*0x581F756D)))[0:32]+0xB03CEE0A)) 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({(((- (((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64} *0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0xFFFFFFFFA7E08A93),({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x }*0xFFFFFFFFA7E08A93)))[0:32])+0xB03CEE0A) ((((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32 [(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init +0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0x581F756D),({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32 [(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x }*0x581F756D)))[0:32]+0xB03CEE0A)) 0 32, 0x } *0x55BE239B)))[0:32]+0xB )[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B))) [0:32]+(@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B)))[0:32]+((((- (((@32[(RBP_init +0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init +0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64} *0xFFFFFFFFA7E08A93),({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x }*0xFFFFFFFFA7E08A93)))[0:32])+0xB03CEE0A) ((((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x } *0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B))) [0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0x581F756D),({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x } *0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x }*0x581F756D)))[0:32]+0xB03CEE0A))[31:32]?(({(((- (((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init +0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init +0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0xFFFFFFFFA7E08A93),({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64} *0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x }*0xFFFFFFFFA7E08A93)))[0:32])+0xB03CEE0A) ((((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init +0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init +0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0x581F756D),({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32 [(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x }*0x581F756D)))[0:32]+0xB03CEE0A)) 0 32, 0xFFFFFFFF 32 64} *0x55BE239B),({(((- (((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]? (({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64} *0xFFFFFFFFA7E08A93),({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x }*0xFFFFFFFFA7E08A93)))[0:32])+0xB03CEE0A) ((((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x } *0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B))) [0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0x581F756D),({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x } *0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x }*0x581F756D)))[0:32]+0xB03CEE0A)) 0 32, 0x }*0x55BE239B)))[0:32]+0xB ) 0 32, 0xFFFFFFFF 32 64}*0x581F756D),({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init +0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+(@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B)))[0:32]+((((- (((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init +0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init +0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0xFFFFFFFFA7E08A93),({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64} *0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x }*0xFFFFFFFFA7E08A93)))[0:32])+0xB03CEE0A) ((((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init +0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init +0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0x581F756D),({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32 [(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x }*0x581F756D)))[0:32]+0xB03CEE0A))[31:32]?(({(((- (((@32[(RBP_init +0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init +0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64} *0xFFFFFFFFA7E08A93),({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x }*0xFFFFFFFFA7E08A93)))[0:32])+0xB03CEE0A) ((((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x } *0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B))) [0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0x581F756D),({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x } *0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x }*0x581F756D)))[0:32]+0xB03CEE0A)) 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({(((- (((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64} *0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),
81 Mixed Boolean-Arithmetic Expression RAX = {((((- ((((- (((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+(@32[(RBP_init +0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B)))[0:32]+((((- (((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32 [(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init +0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0xFFFFFFFFA7E08A93),({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] [31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x }*0xFFFFFFFFA7E08A93)))[0:32])+0xB03CEE0A) ((((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init +0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0x581F756D),({((@32 [(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x }*0x581F756D))) [0:32]+0xB03CEE0A))[31:32]?(({(((- (((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32] +0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0xFFFFFFFFA7E08A93),({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32] +0x5C99A1A9) 0 32, 0x }*0xFFFFFFFFA7E08A93)))[0:32])+0xB03CEE0A) ((((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x } *0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0x581F756D),({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x }*0x581F756D)))[0:32]+0xB03CEE0A)) 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({(((- (((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64} *0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0xFFFFFFFFA7E08A93),({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x }*0xFFFFFFFFA7E08A93)))[0:32])+0xB03CEE0A) ((((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32 [(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init +0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0x581F756D),({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32 [(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x }*0x581F756D)))[0:32]+0xB03CEE0A)) 0 32, 0x } *0x55BE239B)))[0:32]+0xB )[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B))) [0:32]+(@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B)))[0:32]+((((- (((@32[(RBP_init +0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init +0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] RAX 0 32, 0xFFFFFFFF = 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] (M4 M0) 0 32, 0x0 32 M2 64}*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64} *0xFFFFFFFFA7E08A93),({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x }*0xFFFFFFFFA7E08A93)))[0:32])+0xB03CEE0A) ((((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x } *0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B))) [0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0x581F756D),({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x } *0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x }*0x581F756D)))[0:32]+0xB03CEE0A))[31:32]?(({(((- (((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init +0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init +0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0xFFFFFFFFA7E08A93),({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64} *0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x }*0xFFFFFFFFA7E08A93)))[0:32])+0xB03CEE0A) ((((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init +0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init +0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0x581F756D),({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32 [(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x }*0x581F756D)))[0:32]+0xB03CEE0A)) 0 32, 0xFFFFFFFF 32 64} *0x55BE239B),({(((- (((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]? (({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64} *0xFFFFFFFFA7E08A93),({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x }*0xFFFFFFFFA7E08A93)))[0:32])+0xB03CEE0A) ((((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x } *0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B))) [0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0x581F756D),({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x } *0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x }*0x581F756D)))[0:32]+0xB03CEE0A)) 0 32, 0x }*0x55BE239B)))[0:32]+0xB ) 0 32, 0xFFFFFFFF 32 64}*0x581F756D),({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init +0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+(@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B)))[0:32]+((((- (((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init +0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init +0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0xFFFFFFFFA7E08A93),({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64} *0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x }*0xFFFFFFFFA7E08A93)))[0:32])+0xB03CEE0A) ((((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init +0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init +0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0x581F756D),({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32 [(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x }*0x581F756D)))[0:32]+0xB03CEE0A))[31:32]?(({(((- (((@32[(RBP_init +0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init +0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64} *0xFFFFFFFFA7E08A93),({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x }*0xFFFFFFFFA7E08A93)))[0:32])+0xB03CEE0A) ((((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x } *0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x }*0x55BE239B))) [0:32]+0x5C99A1A9) 0 32, 0xFFFFFFFF 32 64}*0x581F756D),({((@32[(RBP_init+0xFFFFFFFFFFFFFFFC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFFC)] 0 32, 0x } *0x55BE239B)))[0:32]+0x5C99A1A9) 0 32, 0x }*0x581F756D)))[0:32]+0xB03CEE0A)) 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),({(((- (((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64} *0x55BE239B),({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0x }*0x55BE239B)))[0:32]+0x5C99A1A9)[31:32]?(({((@32[(RBP_init+0xFFFFFFFFFFFFFFEC)][31:32]?(({@32[(RBP_init+0xFFFFFFFFFFFFFFEC)] 0 32, 0xFFFFFFFF 32 64}*0x55BE239B),
82 Symbolic Execution Captures full semantics of executed code Computer algebra system, some degree of simplification Usability decreases with increasing syntactic complexity Artificial complexity (substitution, ) Algebraic complexity (MBA) 34
83 Symbolic Execution Captures full semantics of executed code Computer algebra system, some degree of simplification Usability decreases with increasing syntactic complexity Artificial complexity (substitution, ) Algebraic complexity (MBA) What if we could reason about semantics only instead of syntax? 34
84 Program Synthesis
85 Program Synthesis: A Semantic Approach We use f as a black-box: f(x, y, z) := (((x y) + ((x y) 2)) z) + (((x y) + ((x y) 2)) z) 36
86 Program Synthesis: A Semantic Approach We use f as a black-box: f(x, y, z) := (((x y) + ((x y) 2)) z) + (((x y) + ((x y) 2)) z) (1,1,1)? 3 36
87 Program Synthesis: A Semantic Approach We use f as a black-box: f(x, y, z) := (((x y) + ((x y) 2)) z) + (((x y) + ((x y) 2)) z) (1,1,1)? 3 (1, 1, 1) 3 36
88 Program Synthesis: A Semantic Approach We use f as a black-box: f(x, y, z) := (((x y) + ((x y) 2)) z) + (((x y) + ((x y) 2)) z) (2,3,1)? 6 (1, 1, 1) 3 36
89 Program Synthesis: A Semantic Approach We use f as a black-box: f(x, y, z) := (((x y) + ((x y) 2)) z) + (((x y) + ((x y) 2)) z) (2,3,1)? 6 (1, 1, 1) 3 (2, 3, 1) 6 36
90 Program Synthesis: A Semantic Approach We use f as a black-box: f(x, y, z) := (((x y) + ((x y) 2)) z) + (((x y) + ((x y) 2)) z) (0,7,2)? 9 (1, 1, 1) 3 (2, 3, 1) 6 36
91 Program Synthesis: A Semantic Approach We use f as a black-box: f(x, y, z) := (((x y) + ((x y) 2)) z) + (((x y) + ((x y) 2)) z) (0,7,2)? 9 (1, 1, 1) 3 (2, 3, 1) 6 (0, 7, 2) 9 36
92 Program Synthesis: A Semantic Approach We use f as a black-box: f(x, y, z) := (((x y) + ((x y) 2)) z) + (((x y) + ((x y) 2)) z) (1, 1, 1) 3 (2, 3, 1) 6 (0, 7, 2) 9 We learn a function that has the same I/O behavior: 36
93 Program Synthesis: A Semantic Approach We use f as a black-box: f(x, y, z) := (((x y) + ((x y) 2)) z) + (((x y) + ((x y) 2)) z) (1, 1, 1) 3 (2, 3, 1) 6 (0, 7, 2) 9 We learn a function that has the same I/O behavior: h(x, y, z) := x + y + z 36
94 How to synthesize programs?
95 Stochastic Program Synthesis probabilistic optimization problem global maxima 38
96 Stochastic Program Synthesis probabilistic optimization problem global maxima
97 Stochastic Program Synthesis probabilistic optimization problem based on Monte Carlo Tree Search (MCTS) global maxima
98 Let s synthesize: a + b mod 8
99 Program Generation U U + U U U a b 40
100 Program Generation U U + U U U a b non-terminal symbol: U 40
101 Program Generation U U + U U U a b non-terminal symbol: U input variables: {a, b} 40
102 Program Generation U U + U U U a b non-terminal symbol: U input variables: {a, b} candidate programs: a, b, a b, a + b,... 40
103 Program Generation U U + U U U a b non-terminal symbol: U input variables: {a, b} candidate programs: a, b, a b, a + b,... intermediate programs: U + U, U U, U + b,... 40
104 Monte Carlo Tree Search U 41
105 Monte Carlo Tree Search U a 41
106 Monte Carlo Tree Search U a
107 Monte Carlo Tree Search U a
108 Monte Carlo Tree Search U a 0.64 b 41
109 Monte Carlo Tree Search U a b
110 Monte Carlo Tree Search U a b
111 Monte Carlo Tree Search U U*U a b
112 Monte Carlo Tree Search U U*U a b (a+a)*(b*a) 41
113 Monte Carlo Tree Search U U*U 0.39 a b
114 Monte Carlo Tree Search U U*U 0.39 a b
115 Monte Carlo Tree Search U U*U 0.39 U+U a b
116 Monte Carlo Tree Search U U*U 0.39 U+U a b a+(b+b) 41
117 Monte Carlo Tree Search U U*U U+U a b
118 Monte Carlo Tree Search U U*U U+U a b
119 Monte Carlo Tree Search U U*U U+U a b
120 Monte Carlo Tree Search U U*U U+U a b U+(U+U) 41
121 Monte Carlo Tree Search U U*U U+U a b U+(U+U) (a+a)+((a*b)+b) 41
122 Monte Carlo Tree Search U U*U U+U a b U+(U+U)
123 Monte Carlo Tree Search U U*U U+U a b U+(U+U)
124 Monte Carlo Tree Search U U*U U+U a b U+(U+U)
125 Monte Carlo Tree Search U U*U U+U a b U+(U+U)
126 Monte Carlo Tree Search U U*U U+U a b U+(U+U)
127 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U)
128 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U)
129 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U)
130 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U)
131 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U)
132 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U)
133 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U)
134 Monte Carlo Tree Search U U+b U*U U+(U+U) U+U a b U+(U*U) 41
135 Monte Carlo Tree Search U U+b U*U U+(U+U) U+U a b U+(U*U) 41
136 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U) U+(U*U)
137 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U) U+(U*U)
138 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U) U+(U*U)
139 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U) U+(U*U)
140 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U) U+(U*U)
141 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U) U+a U+(U*U)
142 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U) U+a U+(U*U)
143 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U) U+a U+(U*U)
144 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U) U+a U+(U*U)
145 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U) U+a U+(U*U)
146 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U) U+a U+(U*U)
147 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U) U+a U+(U*U)
148 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U) U+a U+(U*U)
149 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U) U+a U+(U*U) (U*U)+a 41
150 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U) U+a U+(U*U) (U*U)+a 41
151 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U) U+a U+(U*U) (U*U)+a
152 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U) U+a U+(U*U) (U*U)+a
153 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U) U+a U+(U*U) (U*U)+a
154 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U) U+a U+(U*U) (U*U)+a
155 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U) U+a U+(U*U) (U*U)+a
156 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U) U+a U+(U*U) (U*U)+a
157 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U) U+a U+(U*U) (U*U)+a
158 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U) U+a U+(U*U) (U*U)+a
159 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U) U+a U+(U*U) a+(u+u) (U*U)+a
160 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U) U+a U+(U*U) a+(u+u) (U*U)+a
161 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U) U+a U+(U*U) a+(u+u) 0.68 (U*U)+a
162 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U) U+a U+(U*U) a+(u+u) 0.68 (U*U)+a
163 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U) U+a U+(U*U) a+(u+u) 0.68 (U*U)+a
164 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U) U+a U+(U*U) a+(u+u) 0.68 (U*U)+a
165 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U) U+a U+(U*U) a+(u+u) 0.68 (U*U)+a
166 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U) U+a U+(U*U) a+(u+u) 0.68 (U*U)+a
167 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U) U+a U+(U*U) a+(u+u) 0.68 (U*U)+a
168 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U) U+a U+(U*U) a+(u+u) 0.68 (U*U)+a
169 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U) U+a U+(U*U) a+(u+u) 0.68 (U*U)+a 0.75 b+a 41
170 Monte Carlo Tree Search U U*U U+U a b U+b U+(U+U) U+a U+(U*U) a+(u+u) 0.68 (U*U)+a b+a
171 Score Calculation (2,2)? 42
172 Score Calculation (2,2)? 4 42
173 Score Calculation (2,2)?
174 Score Calculation (2,2) similarity(4, 6) = 0.78?
175 Score Calculation (5,3) similarity(4, 6) = 0.78? 42
176 Score Calculation (5,3) similarity(4, 6) = 0.78? 0 42
177 Score Calculation (5,3) similarity(4, 6) = 0.78?
178 Score Calculation (5,3) similarity(4, 6) = 0.78? similarity(0, 3) =
179 Score Calculation (3,0) similarity(4, 6) = 0.78? similarity(0, 3) =
180 Score Calculation (3,0) similarity(4, 6) = 0.78? similarity(0, 3) =
181 Score Calculation (3,0) similarity(4, 6) = 0.78? similarity(0, 3) =
182 Score Calculation (3,0) similarity(4, 6) = 0.78? similarity(0, 3) = 0.33 similarity(3, 3) =
183 Score Calculation (3,0) similarity(4, 6) = 0.78? similarity(0, 3) = 0.33 similarity(3, 3) = average score:
184 Output Similarity: similarity(o, O ) Let s compare: 43
185 Output Similarity: similarity(o, O ) Are they in the same range? 43
186 Output Similarity: similarity(o, O ) How many bits are different? 43
187 Output Similarity: similarity(o, O ) How close are they numerically? 43
188 DEMO
189 How to synthesize obfuscated code?
190 Obtaining Code static disassembly 46
191 Obtaining Code f e c 6f 6f 6b 20 6c 69 6b e e f 20 6d 65 2e de ad be ef static disassembly memory dump 46
192 Obtaining Code f e c 6f 6f 6b 20 6c 69 6b e e f 20 6d 65 2e de ad be ef mov r15, 0x200 mov r15, rdx xor r15, 0x800 xor r10d, dword ptr [r12] mov rbx, rbp sub r15, 0x800 add rbx, 0xc0 or rdx, 0x400 mov rbx, qword ptr [rbx] mov rsi, 0x200 mov r13, 1 mov r14, rbp mov rcx, 0 sub rsi, rsi mov r15, rbp mov rdi, rbp add r15, 0xc0 mov r8, 0x400 or rcx, 0x88 sub rsi, r9 add rbx, 0xb sub r8, rsi mov r15, qword ptr [r15] add r14, 0 or r12, 0xffffffff add rsi, rax sub rcx, 0x78 and r8, 0x88 movzx r10, word ptr [rbx] xor rsi, r14 xor r12, r13 mov rsi, rbp add r12, 0xffff add rdi, 0xc0 add r15, 0 sub r8, rdi mov r8, rbp add r8, 0x78 sub rcx, 0x10 add rsi, 4 or r12, r12 mov rcx, 0x200 or rcx, 0x800 mov rdi, qword ptr [rdi] movzx r11, word ptr [r15] add dword ptr [rsi], 0x254 xor rcx, 0x800 xor rcx, 0xf0 mov r12, r15 add rcx, r10 add r8, 0 add rdi, 6 xor r12, 0xf0 mov r8, 0x400 mov rbx, 0x58 mov ax, word ptr [rdi] add r11, rbp mov r8, 1 static disassembly memory dump instruction trace 46
193 Learning Code Semantics handle_vnor: mov rcx, [rbp] mov rbx, [rbp + 4] not rcx not rbx and rcx, rbx mov [rbp + 4], rcx pushf pop [rbp] jmp vm_dispatcher Handler performing nor (with flag side-effects) 47
194 Learning Code Semantics handle_vnor: mov rcx, [rbp] mov rbx, [rbp + 4] not rcx not rbx and rcx, rbx mov [rbp + 4], rcx pushf pop [rbp] jmp vm_dispatcher? rbx Handler performing nor (with flag side-effects) 47
195 Learning Code Semantics handle_vnor: mov rcx, [rbp] mov rbx, [rbp + 4] not rcx not rbx and rcx, rbx mov [rbp + 4], rcx pushf pop [rbp] jmp vm_dispatcher? rbx (0,5) -1? Handler performing nor (with flag side-effects) 47
196 Learning Code Semantics handle_vnor: mov rcx, [rbp] mov rbx, [rbp + 4] not rcx not rbx and rcx, rbx mov [rbp + 4], rcx pushf pop [rbp] jmp vm_dispatcher? rbx (0,5) -1? (2,7) -3? Handler performing nor (with flag side-effects) 47
197 Learning Code Semantics handle_vnor: mov rcx, [rbp] mov rbx, [rbp + 4] not rcx not rbx and rcx, rbx mov [rbp + 4], rcx pushf pop [rbp] jmp vm_dispatcher Handler performing nor (with flag side-effects)? rbx (0,5) -1? (2,7) -3? 47
198 Learning Code Semantics handle_vnor: mov rcx, [rbp] mov rbx, [rbp + 4] not rcx not rbx and rcx, rbx mov [rbp + 4], rcx pushf pop [rbp] jmp vm_dispatcher Handler performing nor (with flag side-effects) rbx m 0? rbx? (0,5) -1 (2,7) -3? 47
199 Learning Code Semantics handle_vnor: mov rcx, [rbp] mov rbx, [rbp + 4] not rcx not rbx and rcx, rbx mov [rbp + 4], rcx pushf pop [rbp] jmp vm_dispatcher? rcx Handler performing nor (with flag side-effects) 47
200 Learning Code Semantics handle_vnor: mov rcx, [rbp] mov rbx, [rbp + 4] not rcx not rbx and rcx, rbx mov [rbp + 4], rcx pushf pop [rbp] jmp vm_dispatcher? rcx (3,6) -8? Handler performing nor (with flag side-effects) 47
201 Learning Code Semantics handle_vnor: mov rcx, [rbp] mov rbx, [rbp + 4] not rcx not rbx and rcx, rbx mov [rbp + 4], rcx pushf pop [rbp] jmp vm_dispatcher? rcx (3,6) -8? (1,1) -2? Handler performing nor (with flag side-effects) 47
202 Learning Code Semantics handle_vnor: mov rcx, [rbp] mov rbx, [rbp + 4] not rcx not rbx and rcx, rbx mov [rbp + 4], rcx pushf pop [rbp] jmp vm_dispatcher Handler performing nor (with flag side-effects)? rcx (3,6) -8? (1,1) -2? 47
203 Learning Code Semantics handle_vnor: mov rcx, [rbp] mov rbx, [rbp + 4] not rcx not rbx and rcx, rbx mov [rbp + 4], rcx pushf pop [rbp] jmp vm_dispatcher Handler performing nor (with flag side-effects)? rcx? rcx (m 0 m 1 ) (3,6) -8 (1,1) -2? 47
204 Learning Code Semantics handle_vnor: mov rcx, [rbp] mov rbx, [rbp + 4] not rcx not rbx and rcx, rbx mov [rbp + 4], rcx pushf pop [rbp] jmp vm_dispatcher? Handler performing nor (with flag side-effects) 47
205 Learning Code Semantics handle_vnor: mov rcx, [rbp] mov rbx, [rbp + 4] not rcx not rbx and rcx, rbx mov [rbp + 4], rcx pushf pop [rbp] jmp vm_dispatcher? (0,0) -1? Handler performing nor (with flag side-effects) 47
206 Learning Code Semantics handle_vnor: mov rcx, [rbp] mov rbx, [rbp + 4] not rcx not rbx and rcx, rbx mov [rbp + 4], rcx pushf pop [rbp] jmp vm_dispatcher? (0,0) -1? (4,3) -8? Handler performing nor (with flag side-effects) 47
207 Learning Code Semantics handle_vnor: mov rcx, [rbp] mov rbx, [rbp + 4] not rcx not rbx and rcx, rbx mov [rbp + 4], rcx pushf pop [rbp] jmp vm_dispatcher Handler performing nor (with flag side-effects)? (0,0) -1? (4,3) -8? 47
208 Learning Code Semantics handle_vnor: mov rcx, [rbp] mov rbx, [rbp + 4] not rcx not rbx and rcx, rbx mov [rbp + 4], rcx pushf pop [rbp] jmp vm_dispatcher Handler performing nor (with flag side-effects)?? M 0 (m 0 m 1 ) (0,0) -1 (4,3) -8? 47
209 Learning Code Semantics handle_vnor: mov rcx, [rbp] mov rbx, [rbp + 4] not rcx not rbx and rcx, rbx mov [rbp + 4], rcx pushf pop [rbp] jmp vm_dispatcher rbx m 0 rcx (m 0 m 1 ) M 0 (m 0 m 1 ) Handler performing nor (with flag side-effects) 47
210 I/O Sampling WinDbg x64dbg Unicorn Miasm angr <your tool here> Metasm 48
Let s Break Modern Binary Code Obfuscation
Let s Break Modern Binary Code Obfuscation 34 th Chaos Communication Congress, Leipzig December 27, 2017 Tim Blazytko @mr_phrazer http://synthesis.to Moritz Contag @dwuid https://dwuid.com Chair for Systems
Registers. Ray Seyfarth. September 8, Bit Intel Assembly Language c 2011 Ray Seyfarth
Registers Ray Seyfarth September 8, 2011 Outline 1 Register basics 2 Moving a constant into a register 3 Moving a value from memory into a register 4 Moving values from a register into memory 5 Moving
Inside VMProtect. Introduction. Internal. Analysis. VM Logic. Inside VMProtect. Conclusion. Samuel Chevet. 16 January 2015.
16 January 2015 Agenda Describe what VMProtect is Introduce code virtualization in software protection Methods for circumvention VM logic Warning Some assumptions are made in this presentation Only few
Assembly Language Each statement in an assembly language program consists of four parts or fields.
Chapter 3: Addressing Modes Assembly Language Each statement in an assembly language program consists of four parts or fields. The leftmost field is called the label. - used to identify the name of a memory
CS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2018 Lecture 4
CS24: INTRODUCTION TO COMPUTING SYSTEMS Spring 2018 Lecture 4 LAST TIME Enhanced our processor design in several ways Added branching support Allows programs where work is proportional to the input values
CS Bootcamp x86-64 Autumn 2015
The x86-64 instruction set architecture (ISA) is used by most laptop and desktop processors. We will be embedding assembly into some of our C++ code to explore programming in assembly language. Depending
Rev101. spritzers - CTF team. spritz.math.unipd.it/spritzers.html
Rev101 spritzers - CTF team spritz.math.unipd.it/spritzers.html Disclaimer All information presented here has the only purpose of teaching how reverse engineering works. Use your mad skillz only in CTFs
Computer Processors. Part 2. Components of a Processor. Execution Unit The ALU. Execution Unit. The Brains of the Box. Processors. Execution Unit (EU)
Part 2 Computer Processors Processors The Brains of the Box Computer Processors Components of a Processor The Central Processing Unit (CPU) is the most complex part of a computer In fact, it is the computer
Do not turn the page until 5:10.
University of Washington Computer Science & Engineering Autumn 2018 Instructor: Justin Hsia 2018-10-29 Last Name: First Name: Student ID Number: Name of person to your Left Right All work is my own. I
Instruction Set Architectures
Instruction Set Architectures Computer Systems: Section 4.1 Suppose you built a computer What Building Blocks would you use? Arithmetic Logic Unit (ALU) OP1 OP2 OPERATION ALU RES ALU + Registers R0: 0x0000
6/20/2011. Introduction. Chapter Objectives Upon completion of this chapter, you will be able to:
Introduction Efficient software development for the microprocessor requires a complete familiarity with the addressing modes employed by each instruction. This chapter explains the operation of the stack
Assembly Language Programming 64-bit environments
Assembly Language Programming 64-bit environments October 17, 2017 Some recent history Intel together with HP start to work on 64-bit processor using VLIW technology. Itanium processor is born with the
CSE351 Spring 2018, Midterm Exam April 27, 2018
CSE351 Spring 2018, Midterm Exam April 27, 2018 Please do not turn the page until 11:30. Last Name: First Name: Student ID Number: Name of person to your left: Name of person to your right: Signature indicating:
Instruction Set Architectures
Instruction Set Architectures! ISAs! Brief history of processors and architectures! C, assembly, machine code! Assembly basics: registers, operands, move instructions 1 What should the HW/SW interface
Module 3 Instruction Set Architecture (ISA)
Module 3 Instruction Set Architecture (ISA) I S A L E V E L E L E M E N T S O F I N S T R U C T I O N S I N S T R U C T I O N S T Y P E S N U M B E R O F A D D R E S S E S R E G I S T E R S T Y P E S O
Practical Malware Analysis
Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the
X86 Addressing Modes Chapter 3" Review: Instructions to Recognize"
X86 Addressing Modes Chapter 3" Review: Instructions to Recognize" 1 Arithmetic Instructions (1)! Two Operand Instructions" ADD Dest, Src Dest = Dest + Src SUB Dest, Src Dest = Dest - Src MUL Dest, Src
CSC 2400: Computer Systems. Towards the Hardware: Machine-Level Representation of Programs
CSC 2400: Computer Systems Towards the Hardware: Machine-Level Representation of Programs Towards the Hardware High-level language (Java) High-level language (C) assembly language machine language (IA-32)
Computer Architecture and System Programming Laboratory. TA Session 3
Computer Architecture and System Programming Laboratory TA Session 3 Stack - LIFO word-size data structure STACK is temporary storage memory area register points on top of stack (by default, it is highest
CSC 8400: Computer Systems. Machine-Level Representation of Programs
CSC 8400: Computer Systems Machine-Level Representation of Programs Towards the Hardware High-level language (Java) High-level language (C) assembly language machine language (IA-32) 1 Compilation Stages
x86-64 Programming II
x86-64 Programming II CSE 351 Winter 2018 Instructor: Mark Wyse Teaching Assistants: Kevin Bi Parker DeWilde Emily Furst Sarah House Waylon Huang Vinny Palaniappan http://xkcd.com/409/ Administrative Homework
Functions. Ray Seyfarth. August 4, Bit Intel Assembly Language c 2011 Ray Seyfarth
Functions Ray Seyfarth August 4, 2011 Functions We will write C compatible function C++ can also call C functions using extern "C" {...} It is generally not sensible to write complete assembly programs
Machine Program: Procedure. Zhaoguo Wang
Machine Program: Procedure Zhaoguo Wang Requirements of procedure calls? P() { y = Q(x); y++; 1. Passing control int Q(int i) { int t, z; return z; Requirements of procedure calls? P() { y = Q(x); y++;
Machine Language CS 3330 Samira Khan
Machine Language CS 3330 Samira Khan University of Virginia Feb 2, 2017 AGENDA Logistics Review of Abstractions Machine Language 2 Logistics Feedback Not clear Hard to hear Use microphone Good feedback
Instruction Set Architecture (ISA) Data Types
Instruction Set Architecture (ISA) Data Types Computer Systems: Section 4.1 Suppose you built a computer What Building Blocks would you use? Arithmetic Logic Unit (ALU) OP1 OP2 OPERATION ALU RES Full Adder
EEM336 Microprocessors I. Addressing Modes
EEM336 Microprocessors I Addressing Modes Introduction Efficient software development for the microprocessor requires a complete familiarity with the addressing modes employed by each instruction. This
3.1 DATA MOVEMENT INSTRUCTIONS 45
3.1.1 General-Purpose Data Movement s 45 3.1.2 Stack Manipulation... 46 3.1.3 Type Conversion... 48 3.2.1 Addition and Subtraction... 51 3.1 DATA MOVEMENT INSTRUCTIONS 45 MOV (Move) transfers a byte, word,
Do not turn the page until 11:30.
University of Washington Computer Science & Engineering Autumn 2016 Instructor: Justin Hsia 2016-11-02 Last Name: First Name: Perfect Perry Student ID Number: 1234567 Section you attend (circle): Chris
Lecture 4 CIS 341: COMPILERS
Lecture 4 CIS 341: COMPILERS CIS 341 Announcements HW2: X86lite Available on the course web pages. Due: Weds. Feb. 7 th at midnight Pair-programming project Zdancewic CIS 341: Compilers 2 X86 Schematic
C to Assembly SPEED LIMIT LECTURE Performance Engineering of Software Systems. I-Ting Angelina Lee. September 13, 2012
6.172 Performance Engineering of Software Systems SPEED LIMIT PER ORDER OF 6.172 LECTURE 3 C to Assembly I-Ting Angelina Lee September 13, 2012 2012 Charles E. Leiserson and I-Ting Angelina Lee 1 Bugs
complement) Multiply Unsigned: MUL (all operands are nonnegative) AX = BH * AL IMUL BH IMUL CX (DX,AX) = CX * AX Arithmetic MUL DWORD PTR [0x10]
![complement) Multiply Unsigned: MUL (all operands are nonnegative) AX = BH * AL IMUL BH IMUL CX (DX,AX) = CX * AX Arithmetic MUL DWORD PTR [0x10]](/thumbs/76/72989659.jpg "complement) Multiply Unsigned: MUL (all operands are nonnegative) AX = BH * AL IMUL BH IMUL CX (DX,AX) = CX * AX Arithmetic MUL DWORD PTR [0x10]")
The following pages contain references for use during the exam: tables containing the x86 instruction set (covered so far) and condition codes. You do not need to submit these pages when you finish your
Lecture 15 Intel Manual, Vol. 1, Chapter 3. Fri, Mar 6, Hampden-Sydney College. The x86 Architecture. Robb T. Koether. Overview of the x86
Lecture 15 Intel Manual, Vol. 1, Chapter 3 Hampden-Sydney College Fri, Mar 6, 2009 Outline 1 2 Overview See the reference IA-32 Intel Software Developer s Manual Volume 1: Basic, Chapter 3. Instructions
x86 Programming II CSE 351 Winter
x86 Programming II CSE 351 Winter 2017 http://xkcd.com/1652/ Administrivia 2 Address Computation Instruction v leaq src, dst lea stands for load effective address src is address expression (any of the
Marking Scheme. Examination Paper Department of CE. Module: Microprocessors (630313)
Philadelphia University Faculty of Engineering Marking Scheme Examination Paper Department of CE Module: Microprocessors (630313) Final Exam Second Semester Date: 02/06/2018 Section 1 Weighting 40% of
CSE 351 Midterm Exam
University of Washington Computer Science & Engineering Winter 2018 Instructor: Mark Wyse February 5, 2018 CSE 351 Midterm Exam Last Name: First Name: SOLUTIONS UW Student ID Number: UW NetID (username):
CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 21: Generating Pentium Code 10 March 08
CS412/CS413 Introduction to Compilers Tim Teitelbaum Lecture 21: Generating Pentium Code 10 March 08 CS 412/413 Spring 2008 Introduction to Compilers 1 Simple Code Generation Three-address code makes it
Assembly II: Control Flow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
Assembly II: Control Flow Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Processor State (x86-64) RAX 63 31 EAX 0 RBX EBX RCX RDX ECX EDX General-purpose
Credits and Disclaimers
Credits and Disclaimers 1 The examples and discussion in the following slides have been adapted from a variety of sources, including: Chapter 3 of Computer Systems 3 nd Edition by Bryant and O'Hallaron
CS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2017 Lecture 5
CS24: INTRODUCTION TO COMPUTING SYSTEMS Spring 2017 Lecture 5 LAST TIME Began exploring x86-64 instruction set architecture 16 general-purpose registers Also: All registers are 64 bits wide rax-rdx are
CS165 Computer Security. Understanding low-level program execution Oct 1 st, 2015
CS165 Computer Security Understanding low-level program execution Oct 1 st, 2015 A computer lets you make more mistakes faster than any invention in human history - with the possible exceptions of handguns
Assembly I: Basic Operations. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
Assembly I: Basic Operations Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Basic Execution Environment RAX RBX RCX RDX RSI RDI RBP RSP R8 R9 R10
CSE 351 Midterm Exam Spring 2016 May 2, 2015
Name: CSE 351 Midterm Exam Spring 2016 May 2, 2015 UWNetID: Solution Please do not turn the page until 11:30. Instructions The exam is closed book, closed notes (no calculators, no mobile phones, no laptops,
Assembly II: Control Flow
Assembly II: Control Flow Jinkyu Jeong (jinkyu@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu SSE2030: Introduction to Computer Systems, Spring 2018, Jinkyu Jeong (jinkyu@skku.edu)
MACHINE-LEVEL PROGRAMMING I: BASICS COMPUTER ARCHITECTURE AND ORGANIZATION
MACHINE-LEVEL PROGRAMMING I: BASICS COMPUTER ARCHITECTURE AND ORGANIZATION Today: Machine Programming I: Basics History of Intel processors and architectures C, assembly, machine code Assembly Basics:
x64 Cheat Sheet Fall 2014
CS 33 Intro Computer Systems Doeppner x64 Cheat Sheet Fall 2014 1 x64 Registers x64 assembly code uses sixteen 64-bit registers. Additionally, the lower bytes of some of these registers may be accessed
Intel x86-64 and Y86-64 Instruction Set Architecture
CSE 2421: Systems I Low-Level Programming and Computer Organization Intel x86-64 and Y86-64 Instruction Set Architecture Presentation J Read/Study: Bryant 3.1 3.5, 4.1 Gojko Babić 03-07-2018 Intel x86
Binghamton University. CS-220 Spring x86 Assembler. Computer Systems: Sections
x86 Assembler Computer Systems: Sections 3.1-3.5 Disclaimer I am not an x86 assembler expert. I have never written an x86 assembler program. (I am proficient in IBM S/360 Assembler and LC3 Assembler.)
Program Exploitation Intro
Program Exploitation Intro x86 Assembly 04//2018 Security 1 Univeristà Ca Foscari, Venezia What is Program Exploitation "Making a program do something unexpected and not planned" The right bugs can be
CHAPTER 3 BASIC EXECUTION ENVIRONMENT
CHAPTER 3 BASIC EXECUTION ENVIRONMENT This chapter describes the basic execution environment of an Intel 64 or I A-32 processor as seen by assemblylanguage programmers. It describes how the processor executes
Assembly Programming III
Assembly Programming III CSE 410 Winter 2017 Instructor: Justin Hsia Teaching Assistants: Kathryn Chan, Kevin Bi, Ryan Wong, Waylon Huang, Xinyu Sui Facebook Stories puts a Snapchat clone above the News
Lab 3. The Art of Assembly Language (II)
Lab. The Art of Assembly Language (II) Dan Bruce, David Clark and Héctor D. Menéndez Department of Computer Science University College London October 2, 2017 License Creative Commons Share Alike Modified
The x86 Architecture
The x86 Architecture Lecture 24 Intel Manual, Vol. 1, Chapter 3 Robb T. Koether Hampden-Sydney College Fri, Mar 20, 2015 Robb T. Koether (Hampden-Sydney College) The x86 Architecture Fri, Mar 20, 2015
Program Synthesis in Reverse Engineering
Program Synthesis in Reverse Engineering Rolf Rolles Möbius Strip Reverse Engineering http://www.msreverseengineering.com No Such Conference Keynote Speech November 19th, 2014 Program Synthesis in Reverse
How Software Executes
How Software Executes CS-576 Systems Security Instructor: Georgios Portokalidis Overview Introduction Anatomy of a program Basic assembly Anatomy of function calls (and returns) Memory Safety Programming
Marking Scheme. Examination Paper. Module: Microprocessors (630313)
Philadelphia University Faculty of Engineering Marking Scheme Examination Paper Department of CE Module: Microprocessors (630313) Final Exam Second Semester Date: 12/06/2017 Section 1 Weighting 40% of
A4 Sample Solution Ch3
A4 Sample Solution Ch3 2. AL, AH, BL, BH,CL,CH,DLl, DH 3. AX, BX, CX, DX, SP, BP, SI, DI, CS, DS, ES, SS, FS, GS 4. EAX, EBX, ECX, EDX, ESP, EBP, EDI, ESI 5. RAX, RBX, RCX, RDX, RSP, RBP, RSI, RDI and
Basic Execution Environment
Basic Execution Environment 3 CHAPTER 3 BASIC EXECUTION ENVIRONMENT This chapter describes the basic execution environment of an Intel Architecture processor as seen by assembly-language programmers.
Return Oriented Programming
ROP gadgets Small instruction sequence ending with a ret instruction 0xc3 Gadgets are found in existing, resident code and libraries There exist tools to search for and find gadgets Gadgets are put together
Reverse Engineering Low Level Software. CS5375 Software Reverse Engineering Dr. Jaime C. Acosta
1 Reverse Engineering Low Level Software CS5375 Software Reverse Engineering Dr. Jaime C. Acosta Machine code 2 3 Machine code Assembly compile Machine Code disassemble 4 Machine code Assembly compile
Today: Machine Programming I: Basics. Machine Level Programming I: Basics. Intel x86 Processors. Intel x86 Evolution: Milestones
Today: Machine Programming I: Basics Machine Level Programming I: Basics 15 213/1 213: Introduction to Computer Systems 5 th Lecture, Jan 29, 2013 History of Intel processors and architectures C, assembly,
SOEN228, Winter Revision 1.2 Date: October 25,
SOEN228, Winter 2003 Revision 1.2 Date: October 25, 2003 1 Contents Flags Mnemonics Basic I/O Exercises Overview of sample programs 2 Flag Register The flag register stores the condition flags that retain
Where We Are. Optimizations. Assembly code. generation. Lexical, Syntax, and Semantic Analysis IR Generation. Low-level IR code.
Where We Are Source code if (b == 0) a = b; Low-level IR code Optimized Low-level IR code Assembly code cmp $0,%rcx cmovz %rax,%rdx Lexical, Syntax, and Semantic Analysis IR Generation Optimizations Assembly
Introduction to Machine/Assembler Language
COMP 40: Machine Structure and Assembly Language Programming Fall 2017 Introduction to Machine/Assembler Language Noah Mendelsohn Tufts University Email: noah@cs.tufts.edu Web: http://www.cs.tufts.edu/~noah
Faculty of Engineering Computer Engineering Department Islamic University of Gaza Assembly Language Lab # 2 Assembly Language Fundamentals
Faculty of Engineering Computer Engineering Department Islamic University of Gaza 2011 Assembly Language Lab # 2 Assembly Language Fundamentals Assembly Language Lab # 2 Assembly Language Fundamentals
How Software Executes
How Software Executes CS-576 Systems Security Instructor: Georgios Portokalidis Overview Introduction Anatomy of a program Basic assembly Anatomy of function calls (and returns) Memory Safety Intel x86
Today: Machine Programming I: Basics
Today: Machine Programming I: Basics History of Intel processors and architectures C, assembly, machine code Assembly Basics: Registers, operands, move Intro to x86-64 1 Intel x86 Processors Totally dominate
RISC I from Berkeley. 44k Transistors 1Mhz 77mm^2
The Case for RISC RISC I from Berkeley 44k Transistors 1Mhz 77mm^2 2 MIPS: A Classic RISC ISA Instructions 4 bytes (32 bits) 4-byte aligned Instructions operate on memory and registers Memory Data types
Instructions moving data
do not affect flags. Instructions moving data mov register/mem, register/mem/number (move data) The difference between the value and the address of a variable mov al,sum; value 56h al mov ebx,offset Sum;
Machine/Assembler Language Putting It All Together
COMP 40: Machine Structure and Assembly Language Programming Fall 2015 Machine/Assembler Language Putting It All Together Noah Mendelsohn Tufts University Email: noah@cs.tufts.edu Web: http://www.cs.tufts.edu/~noah
CS 31: Intro to Systems ISAs and Assembly. Martin Gagné Swarthmore College February 7, 2017
CS 31: Intro to Systems ISAs and Assembly Martin Gagné Swarthmore College February 7, 2017 ANNOUNCEMENT All labs will meet in SCI 252 (the robot lab) tomorrow. Overview How to directly interact with hardware
Lecture (02) The Microprocessor and Its Architecture By: Dr. Ahmed ElShafee
Lecture (02) The Microprocessor and Its Architecture By: Dr. Ahmed ElShafee ١ INTERNAL MICROPROCESSOR ARCHITECTURE Before a program is written or instruction investigated, internal configuration of the
FLARE-On 4: Challenge 3 Solution greek_to_me.exe
FLARE-On 4: Challenge 3 Solution greek_to_me.exe Challenge Author: Matt Williams (@0xmwilliams) greek_to_me.exe is a Windows x86 executable whose strings reveal what is likely the desired state of the
Scott M. Lewandowski CS295-2: Advanced Topics in Debugging September 21, 1998
Scott M. Lewandowski CS295-2: Advanced Topics in Debugging September 21, 1998 Assembler Syntax Everything looks like this: label: instruction dest,src instruction label Comments: comment $ This is a comment
Midterm 1 topics (in one slide) Bits and bitwise operations. Outline. Unsigned and signed integers. Floating point numbers. Number representation
Midterm 1 topics (in one slide) CSci 2021: Review Lecture 1 Stephen McCamant University of Minnesota, Computer Science & Engineering Number representation Bits and bitwise operators Unsigned and signed
CS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2017 Lecture 12
CS24: INTRODUCTION TO COMPUTING SYSTEMS Spring 2017 Lecture 12 CS24 MIDTERM Midterm format: 6 hour overall time limit, multiple sittings (If you are focused on midterm, clock should be running.) Open book
The Hardware/Software Interface CSE351 Spring 2013
The Hardware/Software Interface CSE351 Spring 2013 x86 Programming II 2 Today s Topics: control flow Condition codes Conditional and unconditional branches Loops 3 Conditionals and Control Flow A conditional
Basic Pentium Instructions. October 18
Basic Pentium Instructions October 18 CSC201 Section 002 Fall, 2000 The EFLAGS Register Bit 11 = Overflow Flag Bit 7 = Sign Flag Bit 6 = Zero Flag Bit 0 = Carry Flag "Sets the flags" means sets OF, ZF,
Lecture 2 Assembly Language
Lecture 2 Assembly Language Computer and Network Security 9th of October 2017 Computer Science and Engineering Department CSE Dep, ACS, UPB Lecture 2, Assembly Language 1/37 Recap: Explorations Tools assembly
Binghamton University. CS-220 Spring X86 Debug. Computer Systems Section 3.11
X86 Debug Computer Systems Section 3.11 GDB is a Source Level debugger We have learned how to debug at the C level But the machine is executing X86 object code! How does GDB play the shell game? Makes
OptiCode: Machine Code Deobfuscation for Malware Analysis
OptiCode: Machine Code Deobfuscation for Malware Analysis NGUYEN Anh Quynh, COSEINC CONFidence, Krakow - Poland 2013, May 28th 1 / 47 Agenda 1 Obfuscation problem in malware analysis
Introduction to 8086 Assembly
Introduction to 8086 Assembly Lecture 7 Multiplication and Division Multiplication commands: mul and imul mul source (source: register/memory) Unsigned Integer Multiplication (mul) mul src (src: register/memory)
Basics. Crash Dump Analysis 2015/2016. CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics.
Basics http://d3s.mff.cuni.cz Crash Dump Analysis 2015/2016 CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics Processors Basic functionality of processors Execute machine code Sequence of
Q1: Multiple choice / 20 Q2: Protected mode memory accesses
16.317: Microprocessor-Based Systems I Summer 2012 Exam 2 August 1, 2012 Name: ID #: For this exam, you may use a calculator and one 8.5 x 11 double-sided page of notes. All other electronic devices (e.g.,
The von Neumann Machine
The von Neumann Machine 1 1945: John von Neumann Wrote a report on the stored program concept, known as the First Draft of a Report on EDVAC also Alan Turing Konrad Zuse Eckert & Mauchly The basic structure
x86 64 Programming II
x86 64 Programming II CSE 351 Autumn 2018 Instructor: Justin Hsia Teaching Assistants: Akshat Aggarwal An Wang Andrew Hu Brian Dai Britt Henderson James Shin Kevin Bi Kory Watson Riley Germundson Sophie
/INFOMOV/ Optimization & Vectorization. J. Bikker - Sep-Nov Lecture 2: Low Level. Welcome!
/INFOMOV/ Optimization & Vectorization J. Bikker - Sep-Nov 2017 - Lecture 2: Low Level Welcome! INFOMOV Lecture 2 Low Level 2 Previously in INFOMOV Consistent Approach (0.) Determine optimization requirements
Branching and Looping
Branching and Looping Ray Seyfarth August 10, 2011 Branching and looping So far we have only written straight line code Conditional moves helped spice things up In addition conditional moves kept the pipeline
ESET Research Whitepapers // January 2018 // Author: Filip Kafka ESET S GUIDE TO DEOBFUSCATING AND DEVIRTUALIZING FINFISHER
ESET Research Whitepapers // January 2018 // Author: Filip Kafka ESET S GUIDE TO DEOBFUSCATING AND DEVIRTUALIZING FINFISHER 2 CONTENTS Introduction 3 Anti-disassembly 4 FinFisher s virtual machine 7 Terms
Millions of instructions per second [MIPS] executed by a single chip microprocessor
![Millions of instructions per second [MIPS] executed by a single chip microprocessor](/thumbs/78/78775768.jpg "Millions of instructions per second [MIPS] executed by a single chip microprocessor")
Microprocessor Design Trends Joy's Law [Bill Joy of BSD4.x and Sun fame] MIPS = 2 year-1984 Millions of instructions per second [MIPS] executed by a single chip microprocessor More realistic rate is a
CS 261 Fall Machine and Assembly Code. Data Movement and Arithmetic. Mike Lam, Professor
CS 261 Fall 2018 0000000100000f50 55 48 89 e5 48 83 ec 10 48 8d 3d 3b 00 00 00 c7 0000000100000f60 45 fc 00 00 00 00 b0 00 e8 0d 00 00 00 31 c9 89 0000000100000f70 45 f8 89 c8 48 83 c4 10 5d c3 Mike Lam,
The von Neumann Machine
The von Neumann Machine 1 1945: John von Neumann Wrote a report on the stored program concept, known as the First Draft of a Report on EDVAC also Alan Turing Konrad Zuse Eckert & Mauchly The basic structure
MACHINE-LEVEL PROGRAMMING I: BASICS
MACHINE-LEVEL PROGRAMMING I: BASICS CS 429H: SYSTEMS I Instructor: Emmett Witchel Today: Machine Programming I: Basics History of Intel processors and architectures C, assembly, machine code Assembly Basics:
Machine-level Representation of Programs. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
Machine-level Representation of Programs Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Program? 짬뽕라면 준비시간 :10 분, 조리시간 :10 분 재료라면 1개, 스프 1봉지, 오징어
Lab 4: Basic Instructions and Addressing Modes
COE 205 Lab Manual Lab 4: Basic Instructions and Addressing Modes - page 36 Lab 4: Basic Instructions and Addressing Modes Contents 4.1. Data Transfer Instructions 4.2. Addition and Subtraction 4.3. Data
16.317: Microprocessor Systems Design I Fall 2014
16.317: Microprocessor Systems Design I Fall 2014 Exam 2 Solution 1. (16 points, 4 points per part) Multiple choice For each of the multiple choice questions below, clearly indicate your response by circling
Carnegie Mellon. 5 th Lecture, Jan. 31, Instructors: Todd C. Mowry & Anthony Rowe
Machine Level Programming I: Basics 15 213/18 213: 213: Introduction to Computer Systems 5 th Lecture, Jan. 31, 2012 Instructors: Todd C. Mowry & Anthony Rowe 1 Today: Machine Programming gi: Basics History
Reverse Engineering II: The Basics
Reverse Engineering II: The Basics Gergely Erdélyi Senior Manager, Anti-malware Research Protecting the irreplaceable f-secure.com Binary Numbers 1 0 1 1 - Nibble B 1 0 1 1 1 1 0 1 - Byte B D 1 0 1 1 1
CSE 351 Midterm - Winter 2015
CSE 351 Midterm - Winter 2015 February 09, 2015 Please read through the entire examination first! We designed this exam so that it can be completed in 50 minutes and, hopefully, this estimate will prove
How Software Executes
How Software Executes CS-576 Systems Security Instructor: Georgios Portokalidis Overview Introduction Anatomy of a program Basic assembly Anatomy of function calls (and returns) Memory Safety Programming
Chapter 3 Machine-Level Programming I: Basics. Bryant and O Hallaron, Computer Systems: A Programmer s Perspective, Third Edition
Chapter 3 Machine-Level Programming I: Basics 1 Machine Programming I: Basics History of Intel processors and architectures C, assembly, machine code Assembly Basics: Registers, operands, move Arithmetic